[Samba] I want to use CNAMES for my SAMBA server, how?
dlmeyer at uiuc.edu
Mon Jul 10 23:35:04 GMT 2006
At 03:00 PM 7/10/2006, Gerald (Jerry) Carter wrote:
>Mann, Roy (RGMR) wrote:
> > I have a RedHat Enterprise 3 server running SAMBA 3.0.10. The server
> > has been joined to the Active Directory forest using its fully qualified
> > domain name.
> > Windows clients can successfully map drives using that fully qualified
> > name, However, services have a tendency to be moved or need failover
> > during maintenance
> > so I would prefer to tell customers to use a service alias like
> > smbserver3.rest.ofthe.domain.com. When clients use that alias, I can
> > see attempts at kerberos
> > authentication in the logs on the SAMBA server using the canonical FQDN
> > so Windows is getting the right address, talking to the right smbd, but
> > authentication fails.
>If you are using CNAMES, add the appropriate servicePrincipalName
>to the machine's object in AD. Something like adsiedit works well.
Interesting... I never would have gotten here in a month or
three. I've been seeing this problem sporadically of late, as
well. Months ago, things worked fine without this.
My question though is what are the ramifications of a similar
situation: Where the CNAME might be dynamically moved to point to
another system's base IP address in the case of a transfer of
service/fail-over. Does this servicePrincipalName for the FQDN need
to be deleted and added to the new host's object, or can the same
servicePrincipalName be added to each machine's object? -- each
machine that might be used to host that service address, that is...
The answer to this has ramifications for the way we are implementing
many other services, and are trying to use the same paradigm under
Samba. We define a role IP name (FQDN) for a given service and tie
it to a particular IP address. Then pass the IP address around as
necessary -- the server serving as primary for a given service picks
up the role address for that service in addition to its configured
base IP address. Realistically, client requests are configured to
employ the defined role FQDN.
I assume the adsiedit utility mentioned is a windows executable and
must be run at the DC. If these commands/utilities need to be run
at the DC each time a service fails over, then this will be a major
problem. Is there any functionality that would allow these changes
to be effected from a Samba-based system, in order to avoid the need
for commands run at the DC? (I suppose if the setting(s) could be
safely preloaded for each server/object that might host a particular
service address, then this remote capability might not be quite so
I look forward to any/all input on this scenario...
Don Meyer <dlmeyer at uiuc.edu>
Network Manager, ACES Academic Computing Facility
Technical System Manager, ACES TeleNet System
UIUC College of ACES, Information Technology and Communication Services
"They that can give up essential liberty to obtain a little
deserve neither liberty or safety." -- Benjamin Franklin, 1759
More information about the samba